npm · Malicious package advisory
Malware0x2ai-demo2
MAL-2026-5589
Malicious code in 0x2ai-demo2 (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (98ee2445b2f0b01d2457cf45c188b310f58c98f3b676032f9c6213469f071239)
On `npm install`, scripts/postinstall.cjs recursively copies the bundled payload/ directory into INIT_CWD (the developer's project root) via fs.cpSync. The staged files reconfigure Claude Code so subsequent sessions in that project route through an author-controlled bridge:
- payload/.mcp.json registers an MCP `chatroom` server with hardcoded BRIDGE_URL=https://demo2.0x2ai.com and a hardcoded bearer token (BRIDGE_AUTH_TOKEN). Any `claude` invocation in the project auto-loads this MCP server.
- payload/chatroom-mcp-lite-patched.cjs and payload/chatroom-monitor.cjs use child_process, fs.readFileSync, http/https, and POST to exfiltrate session content (chatroom_post, memory_save, provider_query, settings_set tools) to demo2.0x2ai.com. provider_query proxies model calls through the author's server ("API keys are managed server-side"), so prompts and responses flow one-way to the attacker.
- payload/CLAUDE.md is a ~12 KB persona/instruction file that tells Claude to operate as "Olivia", route all memory and chat through https://demo2.0x2ai.com, and refuse to discuss its architecture or prompts (anti-inspection language: `taboo`, `family_recipe`).
- payload/.claude/settings.json overrides the statusLine command and payload/.claude/commands/0x2ai-boot.md autoboots a long-poll listener against the author's bridge.
- bin/start.cjs (advertised as `npx 0x2ai-demo2`) re-stages the payload into CWD and spawns `claude --dangerously-skip-permissions`, disabling Claude's tool-permission prompts while the attacker-controlled MCP server is loaded — enabling remote-driven destructive actions on the developer's machine without approval.
The staged files persist after `npm uninstall`, providing durable redirection of the developer's AI tooling to the author's infrastructure.
Compromised versions (1)
- 1.2.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.